CED

August 2014

Contents of this Issue

Navigation

Page 21 of 67

20 | www.cedmag.com | Construction Equipment Distribution | August 2014
A finance officer at a financial institution was let
go due to poor performance. Before the employee had
been terminated, the worker used the company's computers
to access customer account information such as names,
social security numbers, driver's license numbers, and home
addresses. The employee used this information to open
accounts and incurred unauthorized charges under the
names of the individuals from whom he stole the personal
information. The defendant made numerous purchases totaling
over $50,000. (Source: U.S. Department of Justice, March 2013).
Could this happen at your dealership? Unfortunately,
the answer is yes. That is why it is important to safeguard
customer data. Not only does it make good business practice,
but it's the law. The Federal Trade Commission (FTC) requires
businesses, financial institutions and creditors (including
dealerships and businesses involved in financing or arranging
purchase or lease financing) to develop and implement a
written program to identify and detect the relevant warning
signs – or "red flags" – possibly indicating identity theft.
The program must also prevent and mitigate instances
of identity theft and has to be managed by the board of
directors or senior employees of the business entity. It must
include appropriate staff training and supervision, oversight
of the use of any credit service providers at the dealership,
and must describe appropriate responses that would prevent
and mitigate the crime, as well as detail a plan to update the
program as needed.
General Requirements
A written information security plan should designate one or
more senior management staff to coordinate and oversee
your customer identity information security plan. They would
have the responsibility to identify and assess the risks to
customer information in each relevant area of the dealer's
operation and evaluate the effectiveness of the current
safeguards by regularly monitoring and testing the program.
They would also:
Select outside service providers who are qualified to
maintain appropriate safeguards. Your contracts should
require service providers to maintain stipulated safeguards
and oversee their handling of customer information.
Evaluate and adjust the program in light of relevant
circumstances, including changes in the firm's business or
operations and the results of security testing, monitoring or
actual identity theft incidents.
Employee Management and Training
Develop policies for employees who transmit data. Consider
whether and how employees should be allowed to keep or
access customer data at home. Also require that employees
who use personal computers to store or access customer
data use approved security against viruses, spyware and
other unauthorized intrusions. Coordinate this security with
your information technology area.
Additional risk controls include:
Check references and do background checks before
hiring employees who will have access to customer
information.
Require that every new employee sign an agreement to
follow your company's confidentiality and security standards
for handling customer information.
Threats from employees and hackers alike are your responsibility, and must
be controlled.
BY ERIC STILES
Is Your Customer Data
Vulnerable to
Identity Theft?